I wonder in 3.2.x, how JaasSecurityManager cache works? Is every request from the client checked against the cache? I found out that if I make the second call immediately after the first call (I enable the session management through settting SimpleSessionHandler. Thus the two calls have the same sessionID). In this case, the second call passed even I did not provided user credentials. I checked the log, I found that credentials were not checked against the cache. Is this because that the two calls have the same sessionID?
Also, how do I set session timeout? I know the default value is 60 seconds. Do I set from client side or server side?
How is the SimpleSessionHandler being set?